27236a4348
* gnu/packages/patches/bluez-CVE-2017-1000250.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/linux.scm (bluez)[replacement]: New field. (bluez/fixed): New variable.
43 lines
1.8 KiB
Diff
43 lines
1.8 KiB
Diff
Description: CVE-2017-1000250: information disclosure vulnerability in service_search_attr_req
|
|
Origin: vendor
|
|
Bug-Debian: https://bugs.debian.org/875633
|
|
Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1489446
|
|
Bug-SuSE: https://bugzilla.suse.com/show_bug.cgi?id=1057342
|
|
Forwarded: no
|
|
Author: Armis Security <security@armis.com>
|
|
Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
|
|
Last-Update: 2017-09-13
|
|
|
|
--- a/src/sdpd-request.c
|
|
+++ b/src/sdpd-request.c
|
|
@@ -918,15 +918,20 @@ static int service_search_attr_req(sdp_r
|
|
/* continuation State exists -> get from cache */
|
|
sdp_buf_t *pCache = sdp_get_cached_rsp(cstate);
|
|
if (pCache) {
|
|
- uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);
|
|
- pResponse = pCache->data;
|
|
- memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);
|
|
- buf->data_size += sent;
|
|
- cstate->cStateValue.maxBytesSent += sent;
|
|
- if (cstate->cStateValue.maxBytesSent == pCache->data_size)
|
|
- cstate_size = sdp_set_cstate_pdu(buf, NULL);
|
|
- else
|
|
- cstate_size = sdp_set_cstate_pdu(buf, cstate);
|
|
+ if (cstate->cStateValue.maxBytesSent >= pCache->data_size) {
|
|
+ status = SDP_INVALID_CSTATE;
|
|
+ SDPDBG("Got bad cstate with invalid size");
|
|
+ } else {
|
|
+ uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);
|
|
+ pResponse = pCache->data;
|
|
+ memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);
|
|
+ buf->data_size += sent;
|
|
+ cstate->cStateValue.maxBytesSent += sent;
|
|
+ if (cstate->cStateValue.maxBytesSent == pCache->data_size)
|
|
+ cstate_size = sdp_set_cstate_pdu(buf, NULL);
|
|
+ else
|
|
+ cstate_size = sdp_set_cstate_pdu(buf, cstate);
|
|
+ }
|
|
} else {
|
|
status = SDP_INVALID_CSTATE;
|
|
SDPDBG("Non-null continuation state, but null cache buffer");
|